Drupal MCP Context Server: The Server-vs-Client Security Architecture

Drupal MCP context server is what the ecosystem calls the module that exposes Drupal to AI agents via MCP (Model Context Protocol), the open standard that lets an agent discover and use external tools in a structured way. In Drupal, the module implementing it is changing: drupal.org confirms the original MCP module is merging into MCP Server, now the recommended module for any new implementation.
This isn't a technical footnote — it changes which module an agency should actually be installing when it promises a client "Drupal as an MCP server."
The Drupal MCP context server architecture, direction by direction
The distinction that matters for a security review is direction: is Drupal the thing being called, or the thing doing the calling?
MCP Server — Drupal as the server. It's built on Tool API for plugin discovery and execution, and integrates the official PHP MCP SDK, a collaboration between the PHP Foundation and the Symfony project, with architectural inspiration from the Symfony MCP Bundle. It supports both STDIO and HTTP transport, ships a full admin UI at /admin/config/services/mcp-server/tools, and just introduced MCP Studio — a no-code environment for building MCP tools without writing PHP.
Authentication is where this module earns its enterprise credibility: Simple OAuth 2.1 with two modes per tool — Required (mandatory Bearer token, specific scopes, HTTP 401/403 as appropriate) or Disabled (public, read-only tools only). The module's author also maintains Simple OAuth and Simple OAuth 2.1, which explains the depth of the integration.
Connecting to Claude Desktop is a one-line Drush config:
{ "mcpServers": { "drupal": { "command": "vendor/bin/drush", "args": ["mcp:server"], "cwd": "/path/to/your/drupal/site" } } }MCP Client — Drupal as the caller. It lets Drupal connect outward to external MCP servers and expose their tools inside Drupal's own AI module, using the Key module for secure credential storage. If MCP Server answers "let Claude talk to my Drupal," MCP Client answers "let my Drupal talk to an external tool server."
A third, unofficial project, MCP Tools, has real traction (120 reporting sites) but solves a different problem: 222 tools across 35 optional submodules for conversational site-building — content types, roles, views, cache, security audits — with its own scope-based access control, rate limiting, and audit logging. It's not a substitute for MCP Server's production content exposure; it's closer to a natural-language site-builder assistant.
The operational warning nobody else is flagging
A drupal.org issue opened June 7, 2026 (#3593467) matters more than most changelogs: both MCP Server and the official PHP SDK are in active development with no fixed releases, meaning a routine composer update can pull unversioned breaking changes — the route recently changed from /_mcp to /mcp without a formal changelog entry. The issue's explicit recommendation: pin the mcp_server and SDK versions in composer.json rather than tracking the development branch.
This connects to a wider security trend worth taking seriously: vendors like CyCognito are already cataloging externally reachable MCP servers as part of organizations' external attack-surface inventories.
A misconfigured Drupal MCP Server — auth left in Disabled mode where it shouldn't be — is exactly the kind of asset that automated discovery finds first.
FAQ
Has the original MCP module disappeared?
Not yet, but it's mid-transition: drupal.org confirms it's merging into MCP Server, and the namespace will be repurposed as a recipe and "digital garden" for MCP-related projects. New implementations should use MCP Server directly.
Are MCP Server and MCP Tools competitors?
Not exactly — they solve different problems. MCP Server exposes content and business logic under OAuth 2.1; MCP Tools is built for conversational site-building with its own scope controls.
Is this safe to run in production today?
With mandatory OAuth 2.1 authentication and pinned versions in composer.json, yes. Without pinned versions, no — the module and SDK change without formal releases.
How does this connect to Claude Desktop or Cursor?
Via Drush: the
vendor/bin/drush mcp:servercommand exposes the site as a configurable MCP server directly in the client's config file.What role does the Key module play?
MCP Client uses it for secure storage of API keys when Drupal connects outward to external MCP servers.
Want to expose your Drupal site as an MCP server without expanding your attack surface? Let's talk →